Ounce Labs, a software risk analysis company, has uncovered two security vulnerabilities in the Spring Framework.

Considering how long Spring has been in use, and its popularity, how could such vulnerabilities remain hidden so long? After all, isn’t one of the hallmarks of open source the strong community vetting? Could it be that the shift towards single vendor-driven open source is making open source riskier?

What the Spring vulnerabilities are

Kudos to Ryan Berg, chief scientist and co-founder of Ounce Labs, and Ounce team for uncovering the issues and working with SpringSource to raise awareness.

According to Ounce Labs:

The specific vulnerabilities are “ModelView Injection” and “Data Submission to Non-Editable Fields.” These vulnerabilities allow attackers to subvert the expected application logic and behavior, gaining control of the application itself, and access to any data, credentials or keys held in the application.

If your applications use the Spring Framework, be sure to read FAQs from the SpringSource advisory and the Ounce Security Advisory.

The deeper question on open source vetting

Now, the reason this story caught my eye:

“As we put more and more trust into the frameworks that are the foundation of our applications, we need to make sure we understand the security decisions made so we can make the right implementation choices.”

Two key benefits of OSS are the ability to read and understand the code we use and that “many eyes scouring the code” makes the product more secure.

Considering the millions of downloads of the Spring Framework, should we have expected someone to discover these security holes earlier? Or do developers use what the next guy/gal is using, trusting that “someone” has done the due diligence?

How should we interpret the news versus the long-held belief of increased security as a result of “more eyes scouring the code”? Could that be a trait of merit-based OSS projects that isn’t likely to show up in OSS projects where a single vendor writes the code?

If developers outside the company can’t contribute code, what is the likelihood that a developer will look at a piece of code within the project and ask, “How can I make this better?” — and in the process uncover a potential security issue?

I’m really asking a fundamental question: Are merit-based OSS projects more secure than single-vendor-driven OSS projects?

Thoughts?

PS: I should state: “The postings on this site are my own and don’t necessarily represent IBM’s positions, strategies or opinions.”